New Class of Malware Will Steal Behavioral Patterns

Computer scientists predict that a new generation of malware will mine social networks for people’s private patterns of behavior.

October 8, 2010

It’s not hard to find frightening examples of malware which steals personal information, sometimes for the purpose of making it public and at other times for profit. Details such as names, addresses and emails are hugely valuable for companies wanting to market their wares.

But there is another class of information associated with networks that is potentially much more valuable: the pattern of links between individuals and their behavior in the network–how often they email or call each other, how information spreads between them and so on.

Why is this more valuable? An email address associated with an individual who is at the hub of a vibrant social network is clearly more valuable to a marketing company than an email address at the edge of the network. Patterns of contact can also reveal how people are linked, whether they are in a relationship for example, whether they are students or executives, or whether they prefer celebrity gossip to tech news.

This information would allow a determined attacker to build a remarkably detailed picture of the lifestyle of any individual, a picture that would be far more useful than the basic demographic information that marketeers use today that consists of little more than sex, age and social grouping.

Today, Yaniv Altshuler at Ben Gurion University and a few pals argue that the value of this data makes it almost inevitable that malicious attackers will attempt to steal it. They point out that many companies already mine the pattern of links in their data for things like recommender systems.

“There is no reason to think that developers of malicious applications will not implement the same method and algorithms into future malware, or that they have not already started doing so,” they say.

The idea would be to release some kind of malware that records the patterns of links in a network. This kind of malware will be very hard to detect, say Altshuler and co. They’ve studied the strategies that best mine behavioral pattern data from a real mobile phone network consisting of 800,000 links between 200,000 phones. (They call this type of attack “Stealing Reality”.)

In conventional attacks, malware spreads most efficiently when the infection rate is high, and this maximises the amount of information it can steal. But it also makes the malware relatively easy to spot.

In a behavioral pattern attack, their surprising conclusion is that the most effective way of mining data is to have a low infection rate, so the malware spreads slowly. That’s because it takes time to collect good information about an individual’s behavior patterns. Also, a slow spread is less likely to be picked up by network administrators and antivirus software.

Perhaps the most worrying aspect of this new kind of theft is its potential impact. If malware steals your credit card details or online banking passwords, you can easily change them and this limits the damage.

But if a malicious attacker steals your behavioral patterns, there’s almost nothing you can do. You can’t change your network of friends or family, for example.

What’s more, once this information is released, it is more or less impossible to contain–how would you ensure that every copy had been deleted?

The prospects for avoiding this new threat look bleak. As Altshuler and co point out: “History has shown that whenever something has a tangible value associated with it, there will always be those who try to malevolently ‘game’ the system for profit.”